As a side note, the website in this particular sample had been compromised twice. The same page that redirects the browser to some unknown EK also has 'CookieBomb' script injected in it.

part of 'CookieBomb' script

part of deobfuscated 'CookieBomb' script

URL the 'CookieBomb' is leading to was dead at the time the 'live' capture took place. More on 'CookieBomb' threat can be found on MMD website.

Back to Unknown EK now, the following URL pattern was observed - pastebin.com.

'Unknown EK' URL pattern

Seeing 'cnt.php' redirect script, more likely, indicates that the website was compromised through CVE-2013-1862. Hendrick Adrian(MMD) covered this subject in great details in one of his blog posts.

The EK landing page is as simple as it can only be.

Unknown EK landing page - request for JNLP

JNLP file will launch JavaFX application.

Unknown EK JNLP file

Note a number of HTTP GET requests after JavaFX application JAR is downloaded. These are result of 'Class-Path' header having references to them in 'MANIFEST.MF' file.

Unknown EK MANIFEST.MF file content

Also note, there is no HTTP GET request in Fiddler log for the Initial Payload. This is due to the way it's being requested. During JavaFX application execution the control is passed to 'javaw.exe' tool along with the class file that requests and executes the Initial Payload. 'javaw.exe' tool is not 'proxy-aware' and will send the request directly to the malicious website which technically means if you're on the network behind a web proxy and no direct access to the Internet you're safe from this exploit kit.

"Back off, man. I'm a scientist!"

There is almost no obfuscation applied to the code - some of the string variable values are split and then concatenated.

Once execution privileges are elevated, a hidden .class file is decoded and loaded. During this process it'll be saved to Java Temp folder with 'NewClass.class' filename. The class file is encoded with 'base64'. It handles Initial Payload download and execution.

part of 'base64' encoded hidden .class file

The Initial Payload URL location is not stored in any of the parameters passed to JVM or variables within the code. Instead, it's generated using some tricks JavaFX has to offer.

JavaFX trick to get part of JNLP URI

The code above will return JNLP file parent folder URI - in this case 'hxxp://vinnypedulla.com/5/201311/'. The second part of the path will be dynamically generated using current time stamp following this pattern 'HHmmss' - for example, '113458.mp3' . The routine in the screenshot below combines both parts and requests the initial payload.

part of the Initial Payload fetcher code

The initial payload filename will be created by adding the same 6 digits(time stamp) and '.exe' string together. The file will be stored in Java Temp folder. Before it's stored and executed, it's decoded using XOR with predefined key - 'binkey'.

"Summary"

This exploit kit sample is implemented as a JavaFX application. Some variables names suggest the creator of it is a Turkish speaker - names examples: 'fia', 'analiz', 'fout', 'bais'. Light complexity. Will fail if targeted machine is behind a web proxy and has no direct access to the Internet.